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What Is Claimed Is: 

A method for facilitating secure transmission of an email message 
to anonymous recipients without divulging the identities of the anonymous 
recipients, comprising: 

identifying recipients of the email message, wherein the recipients can 
include known recipients, who can be identified by examining the email message, 
and anonymous recipients, who cannot be identified by examining the email 
message; 

generating a session key for the email message; 

encrypting a body of the email message with the session key; 

creating a recipient block for the email message that contains an entry for 
each recipient of the email message; 

wherein each entry in the recipient block contains the session key 
encrypted with a public key associated with the recipient to form an encrypted 
session key, so that only a corresponding private key held by the recipient can be 
used to decrypt the encrypted session key; 

wherein each entry additionally contains an identifier for the associated 
public key, so that each recipient can determine whether the recipient possesses 
the corresponding private key that can decrypt the encrypted session key; 

wherein identifiers for public keys belonging to known recipients are 
statistically unique; 

wherein identifiers for public keys belonging to anonymous recipients are 
not statistically unique; and 

sending the email message to the recipients. 
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1 2. The method of claim 1, wherein identifiers for public keys 

2 belonging to anonymous recipients provide only enough information to exclude a 

3 large percentage of all possible corresponding private keys from being able to 

4 decrypt the body of the email message. 

1 3 . The method of claim 2, wherein an identifier for a public key is 

2 formed by creating a hash of the public key. 

1 4. The method of claim 3 5 wherein an identifier for a public key 

2 belonging to an anonymous recipient is additionally modified so the identifier is 

3 not statistically unique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible corresponding public keys held by the recipient from matching the 

8 identifier. 

1 5. The method of claim 1, further comprising, - encrypting the body 

2 of the email message, including a checksum into the body of the email message, 

3 so that a recipient can examine the checksum to verify that the correct private key 

4 was used in decrypting the email message. 

A method for facilitating secure transmission of an email message 

2 to anonymous recipients without divulging the identities of the anonymous 

3 recipients, comprising: 

4 receiving the email message at a recipient, wherein the email message 

5 includes, 
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a message body that has been encrypted with a session key, 

a recipient block that contains an entry for each recipient of 
the email message, 

wherein each entry in the recipient block contains the 
session key encrypted with a public key associated with the 
recipient to form an encrypted session key, 

wherein each entry additionally contains an identifier for 
the associated public key, 

wherein identifiers for public keys belonging to known 
recipients are statistically unique, and 

wherein identifiers for public keys belonging to anonymous 
recipients are not statistically unique; 



attempting to match a candidate public key held by the recipient with key 
identifier in the recipient block; 

if the candidate public key matches a key identifier, 



decrypting the associated encrypted session key using an 

associated private key to restore the session key, 

decrypting the message body using the session key, and 
examining a checksum in the message body to verify that 

message body was correctly decrypted. 



7. The method of claim 6, wherein identifiers for public keys 
belonging to anonymous recipients provide only enough information to exclude a 
large percentage of all possible corresponding private keys from being able to 
decrypt the message body of the email message. 
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8. The method of claim 7, wherein an identifier for a public key is 
formed by creating a hash of the public key. 

9. The method of claim 8, wherein an identifier for a public key 
belonging to an anonymous recipient is additionally modified so the identifier is 
not statistically unique; 

whereby the identifier cannot be used to uniquely identify the anonymous 
recipient; and 

whereby a recipient can use the identifier to exclude a large percentage of 
all possible public keys belonging to the recipient from matching the identifier. 

^ A computer-readable storage medium storing instructions that 
when executed by a computer cause the computer to perform a method for 
facilitating secure transmission of an email message to anonymous recipients 
without divulging the identities of the anonymous recipients, the method 
comprising: 

identifying recipients of the email message, wherein the recipients can 
include known recipients, who can be identified by examining the email message, 
and anonymous recipients, who cannot be identified by examining the email 
message; 

generating a session key for the email message; 

encrypting a body of the email message with the session key; 

creating a recipient block for the email message that contains an entry for 
each recipient of the email message; 

wherein each entry in the recipient block contains the session key 
encrypted with a public key associated with the recipient to form an encrypted 
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16 session key, so that only a corresponding private key held by the recipient can be 

1 7 used to decrypt the encrypted session key; 

1 8 wherein each entry additionally contains an identifier for the public key, so 

19 that each recipient can determine whether the recipient possesses the 

20 corresponding private key that can decrypt the encrypted session key; 

2 1 wherein identifiers for public keys belonging to known recipients are 

22 statistically unique; 

23 wherein identifiers for public keys belonging to anonymous recipients are 

24 not statistically unique; and 

25 sending the email message to the recipients. 



C 1 11. The computer-readable storage medium of claim 1 0, wherein 

01 

Sj 2 identifiers for public keys belonging to anonymous recipients provide only enough 

Jl 3 information to exclude a large percentage of all possible corresponding private 

tfJ 4 keys from being able to decrypt the body of the email message. 

m 

p 1 12. The computer-readable storage medium of claim 1 1 , wherein an 

2 identifier for a public key is formed by creating a hash of the public key. 



fy 



1 13. The computer-readable storage medium of claim 12, wherein an 

2 identifier for a public key belonging to an anonymous recipient is additionally 

3 modified so the identifier is not statistically unique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible public keys belonging to the recipient from matching the identifier. 
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1 14. The computer-readable storage medium of claim 10, wherein prior 

2 to encrypting the body of the email message, the method further comprises 

3 including a checksum into the body of the email message, so that a recipient can 

4 examine the checksum to verify that the correct private key was used in 

5 decrypting the email message. 




1 16- A computer-readable storage medium storing instructions that 

2 when executed by a computer cause the computer to perform a method for 

3 facilitating secure transmission of an email message to anonymous recipients 

4 without divulging the identities of the anonymous recipients, the method 
^ 5 comprising: 

*0 6 receiving the email message at a recipient, wherein the email message 

pi 

SlJ 7 includes, 

Sj 

Hi 8 a message body that has been encrypted with a session key, 

~ 9 a recipient block that contains an entry for each recipient of 

a y 

s 10 the email message, 

p «% 1 1 wherein each entry in the recipient block contains the 

Q 12 session key encrypted with a public key associated with the 

fu 

Q 1 3 recipient to form an encrypted session key, 

^ 14 wherein each entry additionally contains an identifier for 

1 5 the associated public key, 

16 wherein identifiers for public keys belonging to known 

17 recipients are statistically unique, and 

18 wherein identifiers for public keys belonging to anonymous 

19 recipients are not statistically unique; 

20 attempting to match a candidate public key held by the recipient with key 

2 1 identifier in the recipient block; 
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if the candidate public key matches a key identifier, 

decrypting the associated encrypted session key using an 

associated private key to restore the session key, 

decrypting the message body using the session key, and 
examining a checksum in the message body to verify that 

message body was correctly decrypted. 

1 6. The computer-readable storage medium of claim 15, wherein 
identifiers for public keys belonging to anonymous recipients provide only enough 
information to exclude a large percentage of all possible corresponding private 
keys from being able to decrypt the message body of the email message. 

1 7. The computer-readable storage medium of claim 1 6, wherein an 
identifier for a public key is formed by creating a hash of the public key. 

18. The computer-readable storage medium of claim 1 7, wherein an 
identifier for a public key belonging to an anonymous recipient is additionally 
modified so the identifier is not statistically unique; 

whereby the identifier cannot be used to uniquely identify the anonymous 
recipient; and 

whereby a recipient can use the identifier to exclude a large percentage of 
all possible public keys belonging to the recipient from matching the identifier. 



49. An apparatus that facilitates secure transmission of an email 
message to anonymous recipients without divulging the identities of the 
anonymous recipients, comprising: 
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4 an identifying mechanism that is configured to identify recipients of the 

5 email message, wherein the recipients can include known recipients, who can be 

6 identified by examining the email message, and anonymous recipients, who 

7 cannot be identified by examining the email message; 

8 a key generation mechanism that is configured to generate a session key 

9 for the email message; 

1 0 an encryption mechanism that is configured to encrypt a body of the email 

1 1 message with the session key; 

12 a recipient block creation mechanism that is configured to create a 

13 recipient block for the email message that contains an entry for each recipient of 

14 the email message; 

1 5 wherein each entry in the recipient block contains the session key 

16 encrypted with a public key associated with the recipient to form an encrypted 

17 session key, so that only a corresponding private key held by the recipient can be 

1 8 used to decrypt the encrypted session key; 

19 wherein each entry additionally contains an identifier for the associated 

20 public key, so that each recipient can determine whether the recipient possesses 

21 the corresponding private key that can decrypt the encrypted session key; 

22 wherein identifiers for public keys belonging to known recipients are 

23 statistically unique; 

24 wherein identifiers for public keys belonging to anonymous recipients are 

25 not statistically unique; and 

26 a sending mechanism that is configured to send the email message to the 

27 recipients. 

1 20. The apparatus of claim 19, wherein identifiers for public keys 

2 belonging to anonymous recipients provide only enough information to exclude a 
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3 large percentage of all possible corresponding public keys from being able to 

4 decrypt the body of the email message. 

1 21 . The apparatus of claim 20, wherein an identifier for a public key is 

2 a hash of the public key. 

1 22. The apparatus of claim 2 1 , wherein the recipient block creation 

2 mechanism is additionally configured to modify an identifier for a public key 

3 belonging to an anonymous recipient so the identifier is not statistically unique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 
n 5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

pi 

Sj 7 all possible public keys held by the recipient from matching the identifier. 



1 23. The apparatus of claim 19, further comprising a checksum 

s . 2 mechanism that, wherein prior to encrypting the body of the email message, the 

^ 3 checksum mechanism is configured to include a checksum into the body of the 

O 4 email message, so that a recipient can examine the checksum to verify that the 

□ 5 correct private key was used in decrypting the email message. 



P 



1 /4. An apparatus that facilitates secure transmission of an email 

2 message to anonymous recipients without divulging the identities of the 

3 anonymous recipients, comprising: 

4 a receiving mechanism that is configured to receive the email message at a 

5 recipient, wherein the email message includes, 

6 a message body that has been encrypted with a session key, 
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a recipient block that contains an entry for each recipient of 
the email message, 

wherein each entry in the recipient block contains the 
session key encrypted with a public key associated with the 
recipient to form an encrypted session key, 

wherein each entry additionally contains an identifier for 
the associated public key, 

wherein identifiers for public keys belonging to known 
recipients are statistically unique, and 

wherein identifiers for public keys belonging to anonymous 
recipients are not statistically unique; 
a matching mechanism that is configured to attempt to match a candidate 
public key belonging to the recipient with key identifier in the recipient block; 

a decryption mechanism, wherein if the candidate public key matches a 
key identifier, the decryption mechanism is configured to, 

decrypt the associated encrypted session key using a 
corresponding private key to restore the session key, 

decrypt the message body using the session key, and to 
examine a checksum in the message body to verify that 
message body was correctly decrypted. 

1 25. The apparatus of claim 24, wherein identifiers for public keys 

2 belonging to anonymous recipients provide only enough information to exclude a 

3 large percentage of all possible corresponding private keys from being able to 

4 decrypt the message body of the email message. 
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1 26. The apparatus of claim 25, wherein an identifier for a public key is 

2 a hash of the public key. 

1 27. The apparatus of claim 26, wherein an identifier for a public key 

2 belonging to an anonymous recipient is additionally modified so the identifier is 

3 not statistically unique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible public keys belonging to the recipient from matching the identifier. 
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